This security setting determines the period of time (in days) during which a user's ticket-granting ticket can be renewed. The STIG recommended state for this setting is: 7 or fewer days. Rationale: If the value for this policy setting is too high, users may be able to renew very old user ticket-granting tickets. If the value is 0, ticket-granting tickets never expire. Impact: None - this is the default behavior.
Solution
To establish the recommended configuration via GP, set the following UI path to 7 or fewer days: Computer Configuration\Policies\Windows Settings\Security Settings\Account Policy\Kerberos Policy\Maximum lifetime for user ticket renewal Default Value: 7 days Additional Information: Microsoft Windows Server 2019 Security Technical Implementation Guide: Version 2, Release 1, Benchmark Date: November 13, 2020 Vul ID: V-205705 Rule ID: SV-205705r569188_rule STIG ID: WN19-DC-000050 Severity: CAT II